GlobalProtect Access Route for a public website?

Reply
Highlighted
L4 Transporter

GlobalProtect Access Route for a public website?

Hi folks,

 

We are using a PA 3020 PANOS 7.1.14.

 

We have entered all public IP addresses for Okta in our Global Protect Gateway Client Access route settings.

Our intention is for Okta to only see client IP requests come from our one corporate public IP (instead of the client's ISP).

We want split tunnelling except for when accessing <name>.okta.com.

We have our internal DNS server IP added for the GlobalProtect clients to use (forwarding configured to public DNS).

 

However, when connected to GlobalProtect <name>.okta.com will not resolve, "this site can't be reached", times out.

I've confirmed with a ping -a that the public IP it resolves to is in the list for access routes.

I've also tried adding adding an internal DNS zone for <name>.okta.com, but has not helped.

 

Wondering if anyone has any tips?


Accepted Solutions
Highlighted
L4 Transporter

Re: GlobalProtect Access Route for a public website?

Are you positive there is a nat rule for this outbound traffic?

Scurity policy to allow it?

Do you see this traffic in the logs?

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: GlobalProtect Access Route for a public website?

Are you positive there is a nat rule for this outbound traffic?

Scurity policy to allow it?

Do you see this traffic in the logs?

View solution in original post

Highlighted
L4 Transporter

Re: GlobalProtect Access Route for a public website?

Yea, I think your are right, thank you.  We do not have a security rule in place from VPN zone to Untrust zone.  I assume because it was not necessary.

I just tried it, but still not working.  I believe I need to add all the IPs in there, since I am now getting a page not found error (instead of time out).

 

Traffic to the Okta public IP is not even registering the traffic log at the moment, have not packet captured yet.

 

Not sure if the internal DNS zone I created for <name>.okta.com is needed or not, will try to find out.

 

Still testing, will update.

Highlighted
Cyber Elite

Re: GlobalProtect Access Route for a public website?

Hello,

Just another though might be to not decypt the traffic to Okta, if you are decrypticing traffic.

 

Regards,

Highlighted
Cyber Elite

Re: GlobalProtect Access Route for a public website?

@OMatlock,

Just to ensure that you are actually getting all of the logs you might want to override the interzone default policy to log the traffic, as if you don't have a security policy allow it the denied traffic won't be logged by default. 

Highlighted
L4 Transporter

Re: GlobalProtect Access Route for a public website?

You were right.  I did not think to go add the VPN zone to the security rule to Untrust and Dynamic IP and Port NAT rule.

Resolved.  Thanks again!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!